Description
This article expands upon the new feature guide for FortiOS 6.4 here: https://docs.fortinet.com/document/fortigate/6.4.0/new-features/894496/nas-ip-support-per-ssl-vpn-re...
Scope
FortiGate, FortiAuthenticator.
Solution
Complex FortiGate SSLVPN setups might require very granular authentication, for example different combinations of domains, whether two-factor authentication should be included or not, etc.
If FortiAuthenticator serves as RADIUS authentication server, different authentication needs can be handled by different RADIUS policies (to match to different domains, require or not require 2FA, filter for very specific groups, etc).
However, for different RADIUS policies to be matched in FortiAuthenticator, it needs a way to know which request should be matched to which RADIUS policy, meaning FortiGate has to supply some identifying characteristics to achieve this.
FortiOS 6.4 introduced such a feature: setting a NAS-IP per SSL-VPN realm.
The setup works as follows:
- Different SSL-VPN realms for different authentication needs (groups/domains/2FA/…).
- A realm will be associated with a specific (bogus) NAS-IP.
- If a user tries to log in via a specific realm, FortiGate sends the authentication request to FortiAuthenticator and includes the realm-specific NAS-IP.
- FortiAuthenticator applies a specific RADIUS policy based on that NAS-IP.
A FortiGate configuration example can be found here:
For FortiAuthenticator, the following needs to be added to a RADIUS policy:
With NAS-IP filters in place on FortiAuthenticator, different RADIUS policies can be applied based on different SSL-VPN realms in FortiGate.
This method can also be used with other RADIUS authentication servers (NPS for example), as long as those RADIUS servers can apply different authentication policies based on the RADIUS attributes in Access-Request.
